Data Protection: Season 2 Merry XSSmas!

Goal: Find XSS vulnerabilities
Duration: from 25.12.2023 to 31.01.2024
{ Contest basics}
Yandex is launching Data Protection Season 2! This year, the focus is on finding XSS vulnerabilities.
We want to see how small or experimental services can impact security in our key products.
So we’re asking our bug hunters to pay special attention to client-side* methods of obtaining the following sensitive data:
  • Yandex 360 (Yandex Mail, Yandex Calendar, Yandex Disk)

    — Email content and attachments in Yandex Mail

    — Files from Yandex Disk

  • Yandex ID

    Saved documents

    — Access to the Data management tool

  • Ecommerce and Ridetech (Yandex Market, Yandex Eats, Yandex Lavka, Yandex Taxi, Yandex Drive)

    — Ride and order history

    — Favorite and saved addresses

  • Fintech

    — Transaction history on Yandex Pay cards

    — Savings account balances

    — Saved payment card information

Bugs with the biggest rewards:
Category
Reward
XSS in Yandex ID, Yandex Mail, and Yandex Drive
$4444 — $5555
XSS in other services leading to infiltration to sensitive data
$3333 — $3888
Blind XSS triggered in internal administrative interfaces
$2777
XSS in other services without sensitive data
$1111 — $1666
Examples of what bugs we are waiting:
[1] Dear Security Team, I found an XSS vulnerability on xxx.forum.yandex.ru where I can access another user’s orders using a CORS request.
[2] It turns out that XXX, where important files are stored, has a WebSocket API allowing connections from any .yandex.ru domain. So all I needed was any XSS on sub-domains, and I found one on yyy.yandex.ru/***
{ Main rules:}
  • You can and should combine multiple vulnerabilities or browser techniques. For example, an XSS on one domain and a CORS request to another.
  • By client-side* methods, we mean CORS, Websockets, PostMessages, JSONP, XSSI, and other browser-based cross-domain interaction techniques that can be used when exploiting XSS.
  • Content Security Policy bypass is not required. However, in some cases the reward may be reduced, for example, if the XSS requires a click and is blocked by the CSP (href=javascript:alert).
  • You can’t attack or test vulnerabilities on real users, only on test accounts. Attempts to violate this rule may result in exclusion from the competition.
  • Be creative and use everything you know about Yandex services.
Tue Oct 01 2024 10:12:30 GMT+0300 (Moscow Standard Time)